AWS Certified Developer – Associate (DVA-C02) — Question 300

A developer must use multi-factor authentication (MFA) to access data in an Amazon S3 bucket that is in another AWS account.

Which AWS Security Token Service (AWS STS) API operation should the developer use with the MFA information to meet this requirement?

Answer options

• A. AssumeRoleWithWebIdentity
• B. GetFederationToken
• C. AssumeRoleWithSAML
• D. AssumeRole

Correct answer: D

Explanation

The AssumeRole API operation is used to obtain temporary security credentials for cross-account access and supports passing MFA parameters such as SerialNumber and TokenCode. AssumeRoleWithWebIdentity and AssumeRoleWithSAML are intended for federated users authenticated via external identity providers rather than direct cross-account IAM role assumption. GetFederationToken is used to return temporary credentials for federated users within the same account and does not facilitate cross-account access.